Package: cryptsetup Version: 2:2.1.0-5+deb10u2 Severity: normal Dear Maintainer,
I have been toying around with LUKS2 integrity and have found a situation that apparently leads to a "Killed" process or a segmentation fault which looks like it is due to a NULL pointer dereference in my dmesg output. This lead me to change some of my original luksFormat parameters from using benbi for IV generation over to plain64be, which does seem to work. It also makes me question whether benbi is a good or bad choice to use for a wide block XTS mode, as I have been using for years. Any input? I'm no expert. In short, this fails: # cryptsetup luksFormat \ --cipher=twofish-xts-benbi \ --hash=sha512 \ --verify-passphrase \ --key-size=512 \ --use-random \ --type=luks2 \ --pbkdf=argon2id \ --pbkdf-memory=1048576 \ --pbkdf-parallel=4 \ --pbkdf-force-iterations=5 \ --integrity=hmac-sha256 \ --integrity-no-journal \ --sector-size=4096 \ /dev/kvmhost_vg/root And, this works: # cryptsetup luksFormat \ --cipher=twofish-xts-plain64be \ --hash=sha512 \ --verify-passphrase \ --key-size=512 \ --use-random \ --type=luks2 \ --pbkdf=argon2id \ --pbkdf-memory=1048576 \ --pbkdf-parallel=4 \ --pbkdf-force-iterations=5 \ --integrity=hmac-sha256 \ --integrity-no-journal \ --sector-size=4096 \ /dev/kvmhost_vg/root Some more random information, for which feedback is always appreciated: My rationale for using benbi might have always been way off base. I have been known to use pvmove to "defrag" my lvm2 volumes in the past and have always been worried about this somehow breaking my encryption. It never has broken with benbi, and as I understood it, the IV counters would start at 1 and never be tied directly to any physical harddrive sector. However, maybe LVM "sectors," since this occurs before the encryption, is what the IVs have always been based upon. Does anybody know if there is any truth in that? I have not decided to "defrag" my lvm2 volumes in ages. In any case, I can live with plain64 or plain64be, especially if I have been doing it wrong all along! Mainly, I wanted maintainers to be aware of this crash. Thank You, Jerad Simpson -- Package-specific info: -- System Information: Debian Release: 10.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_DIE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cryptsetup depends on: ii cryptsetup-initramfs 2:2.1.0-5+deb10u2 ii cryptsetup-run 2:2.1.0-5+deb10u2 cryptsetup recommends no packages. cryptsetup suggests no packages. -- no debconf information
